DEV Community

Zane Chen
Zane Chen

Posted on • Updated on

How To Pull The Images on GCP Artifact Registry From On-premise K8S

To access Google Cloud Platform (GCP) Artifact Registry from a local Kubernetes cluster using a service account key file, you need to follow these steps:

  1. Create a GCP Service Account and Key File
  2. Create a Kubernetes Secret with the Service Account Key
  3. Configure Your Kubernetes Deployment to Use the Secret
  4. Pull Images from Artifact Registry

Step-by-Step Guide

1. Create a GCP Service Account and Key File

  1. Create the Service Account:
   gcloud iam service-accounts create my-service-account --display-name "My Service Account"
Enter fullscreen mode Exit fullscreen mode
  1. Grant the Necessary Roles to the Service Account:
   gcloud projects add-iam-policy-binding <YOUR-PROJECT-ID> \
       --member="serviceAccount:my-service-account@<YOUR-PROJECT-ID>.iam.gserviceaccount.com" \
       --role="roles/artifactregistry.reader"
Enter fullscreen mode Exit fullscreen mode

Replace <YOUR-PROJECT-ID> with your GCP project ID.

  1. Create and Download the Key File:
   gcloud iam service-accounts keys create key.json \
       --iam-account my-service-account@<YOUR-PROJECT-ID>.iam.gserviceaccount.com
Enter fullscreen mode Exit fullscreen mode

2. Create a Kubernetes Secret with the Service Account Key

  1. Create the Secret:
   kubectl create secret docker-registry gcp-artifact-registry \
       --docker-server=LOCATION-docker.pkg.dev \
       --docker-username=_json_key \
       --docker-password="$(cat key.json)" \
       --docker-email=your-email@example.com
Enter fullscreen mode Exit fullscreen mode

Replace:

  • LOCATION with the location of your Artifact Registry (e.g., us-central1).
  • your-email@example.com with your email.

3. Configure Your Kubernetes Deployment to Use the Secret

Update your Kubernetes deployment YAML to reference the secret for pulling images.

  1. Update Deployment YAML:
   apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: my-app
   spec:
     replicas: 1
     selector:
       matchLabels:
         app: my-app
     template:
       metadata:
         labels:
           app: my-app
       spec:
         containers:
         - name: my-app
           image: LOCATION-docker.pkg.dev/PROJECT-ID/REPOSITORY/IMAGE:TAG
           ports:
           - containerPort: 8080
         imagePullSecrets:
         - name: gcp-artifact-registry
Enter fullscreen mode Exit fullscreen mode

Replace the placeholders:

  • LOCATION with your Artifact Registry location (e.g., us-central1).
  • PROJECT-ID with your GCP project ID.
  • REPOSITORY with the name of your repository.
  • IMAGE:TAG with the specific image and tag you want to use.
  1. Apply the Deployment:
   kubectl apply -f deployment.yaml
Enter fullscreen mode Exit fullscreen mode

4. Verify the Setup

  1. Check the Deployment Status:
   kubectl get pods
Enter fullscreen mode Exit fullscreen mode
  1. Describe a Pod to Verify Image Pull:
   kubectl describe pod <POD-NAME>
Enter fullscreen mode Exit fullscreen mode

Look for the events section to see if the image was pulled successfully.

Summary

By following these steps, you configure your local Kubernetes cluster to authenticate with GCP Artifact Registry using a service account key file. This involves creating a service account and key, storing the key as a Kubernetes secret, and updating your deployments to use the secret for image pulls. This setup ensures secure and efficient access to your container images stored in GCP Artifact Registry.

Refs

https://cloud.google.com/artifact-registry/docs/docker/pushing-and-pulling#key
https://cloud.google.com/artifact-registry/docs/docker/authentication#json-key

Top comments (1)

Collapse
 
nieebel profile image
Nieebel

The enhanced version of this would be to not copy a password over to k8s but instead establish trust between GCP and K8s like described here medium.com/google-cloud/keyless-go... (in this case, trust is established between GCP and Github)